Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56777 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27703 invoked from network); 5 Dec 2011 03:21:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Dec 2011 03:21:55 -0000 Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender) X-PHP-List-Original-Sender: laruence@gmail.com X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com Received: from [209.85.220.170] ([209.85.220.170:51396] helo=mail-vx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 47/B0-19375-1D83CDE4 for ; Sun, 04 Dec 2011 22:21:53 -0500 Received: by vcbgb30 with SMTP id gb30so3851748vcb.29 for ; Sun, 04 Dec 2011 19:21:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=1yTQe16arZStSrzRIo2afn5IHufvSUnufsLenDnWkDQ=; b=LRlhat4okFzHAQizHfdSDg8FUW1BZqgsE79rjzvwJc6QOqenvfVfrIOenHCgARZmmH otdCDd+roC6Mq6Un6B2GIHNX66kwIr0ryTC+Ph2ceYfnv/HDd7wjG+rpsWEzSZreWLJF P8GbFd0kHmedisYGMtTQqkPx10nfVDfj2o1rk= Received: by 10.220.100.76 with SMTP id x12mr789292vcn.118.1323055310249; Sun, 04 Dec 2011 19:21:50 -0800 (PST) MIME-Version: 1.0 Sender: laruence@gmail.com Received: by 10.220.108.7 with HTTP; Sun, 4 Dec 2011 19:21:29 -0800 (PST) In-Reply-To: <4EDC015C.3080701@akbkhome.com> References: <4EDA4989.2010702@akbkhome.com> <4EDC015C.3080701@akbkhome.com> Date: Mon, 5 Dec 2011 11:21:29 +0800 X-Google-Sender-Auth: _UK1UNcUQdzSEVYop5L1B6wyOOo Message-ID: To: Alan Knowles Cc: internals@lists.php.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Fixing string offsets of strings. From: laruence@php.net (Laruence) Hi: I think we can only trigger notice, then act the same behavior as before. include isset. this would introduce the fewest bc breaks, what do you think? thanks On Mon, Dec 5, 2011 at 7:25 AM, Alan Knowles wrote: > A few answers... > > $s =3D "string"; =C2=A0isset($s['offset']) returns false > This is pretty critical, as it's the only way to detect this situation, a= nd > ensure that array tests do not return positive results for strings. It al= so > catches an obvious, but previously hidden and probably serious bugs in th= e > PHP code.. > > $s =3D "string"; =C2=A0$s[' =C2=A02 =C2=A0']; and $s['2foo'] both emit er= rors, and return > false from isset() - the code pretty much uses is_numeric() internally. - > I'm pretty sure these would be un-intentional bugs, so behaving as such > seems consistent. > > I do not mind either way if $s['offset'] returns the first char or an emp= ty > string, however it seemed a little inconstant to return false on isset(), > yet actually return a string. (although technically an empty string does > kind of indicate it is 'isset') - it at least leaves the engine in a > consistent state. Perhaps that change can wait's until 5.5.. thoughts... > > As for dropping the syntax for Strings eventually.. It would be nice, but > I'm not sure it is feasible anymore unfortunately. > > Regards > Alan > > > > > > On Monday, December 05, 2011 01:28 AM, Laruence wrote: >> >> Hi: >> =C2=A0 =C2=A0 I have submit a new patch based on the origin patch, =C2= =A0which only >> trigger notice when string offset cast occurred. >> >> thanks >> >> On Sun, Dec 4, 2011 at 10:25 PM, Laruence =C2=A0wrote: >>> >>> +1. >>> >>> thanks. >>> >>> On Sun, Dec 4, 2011 at 10:05 PM, Ferenc Kovacs =C2=A0= wrote: >>>> >>>> On Sat, Dec 3, 2011 at 5:08 PM, Alan Knowles =C2=A0= wrote: >>>> >>>>> I've had a look at making string offsets of strings a bit saner. >>>>> >>>>> At present with the fix for array dereferencing : =C2=A0?search=3Dhel= lo and a >>>>> test like isset($_GET['search']['name']) =C2=A0results in true, which= is has >>>>> potential security problems and is very confusing for any programmer >>>>> finding and working out why something like that may be failing. >>>>> >>>>> To solve this quite a few people agreed that not allowing non-numeric >>>>> string offsets on strings would be the smart way to go, the change is >>>>> going >>>>> to break BC, so the idea is to at least not break it too badly... >>>>> >>>>> This patch is a start. >>>>> https://bugs.php.net/patch-**display.php?bug_id=3D60362&** >>>>> >>>>> patch=3Dfirst_effort_to_fix_**this&revision=3Dlatest >>>>> >>>>> It's been quite a while since I hacked on the engine, so the patch on= ly >>>>> works reasonably well.. (see the FIXME on the tests at the bottom of >>>>> the >>>>> patch.) >>>>> >>>>> The patch changes the following: >>>>> =C2=A0* $s =3D "string"; =C2=A0$s['offset'] -- produces a warning (an= d returns an >>>>> empty string) >>>>> =C2=A0* $s =3D "string"; =C2=A0$s['1'] -- works as before.. >>>>> =C2=A0* $s =3D "string"; =C2=A0$s[true] $s[false] $s[0.1] -- give a n= otice (cast it >>>>> to >>>>> an int if you want to get rid of the notice) - however work as before= . >>>>> =C2=A0* changes the warning on invalid indexes to say "Uninitialized = or >>>>> invalid" rather than just "Uninitialized" >>>>> =C2=A0* fixes most of the related tests >>>>> >>>> I think that those changes are pretty much in line with the discussion >>>> that >>>> we had. >>>> Thanks for fixing this! >>>> >>>> >>>> -- >>>> Ferenc Kov=C3=A1cs >>>> @Tyr43l - http://tyrael.hu >>> >>> >>> >>> -- >>> Laruence =C2=A0Xinchen Hui >>> http://www.laruence.com/ >> >> >> > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > --=20 Laruence =C2=A0Xinchen Hui http://www.laruence.com/